With Valentine’s day approaching, the group continues to spam out links to a new set of sites with some new themes and filenames to watch for, like “reader.exe” and “run.exe”. The pages do not yet seem to carry redirects to pages hosting exploits. Instead, the text directs the user to “Click here to view your card.” Do not download and run these executables. Instead, please click on this post’s Waledac blog label below for previous posts about the ongoing threat.

And another…

Messages related to the image above include subjects like “A Valentine E-Card from ” and text like…
has sent you a Valentine’s Day greeting card and wrote this to you:
“Heaven is not heaven without U”
Just click on the following link to see your E-card:
hxxp://yolk .fun loveonline .com/?cardnum=
For your convenience, the greeting card will be available for the next 30 days.”
Do not click on the link or download the malware at that link.

Messages wishing you a “Happy Valentines Day!” contain text like

Flora just mailed an electronic Valentine greeting card and wrote this to you:
“love u so much dear..”

To view this page please click here:
hxxp:// ii. cherishpoems.com/?code=rand_num
You can see your card at any time within 30 days.”

Leading to teddy bear malware:

In one of their more complicated themes, the Waledac team is following up on a previous blast, spamming out links to a few new malicious websites, each one using a strange “Valentine Devkit” theme. Clicking on an image on one of these pages results in a download of various names: loveprogramm.exe, ecard.exe, postcard.exe, lovekit.exe, mylove.exe, runme.exe, loveexe.exe… The files themselves are effectively obfuscated, with very low (non-existent) AV scanner detection at the current time. The site suggests that a “nicely designed Valentines Card for your sweetheart” can be created with their “Valentine Devkit”.

The web pages seem unusual for the group in one respect, they do not provide the “google-analytics.js” javascript link that was present on previous campaigns. That means the team is not delivering the commodity client side exploits (drive-by exploits) to distribute their malware just yet. Instead, they are relying on the gullibility of users to download and install the malware files on their own. ThreatFire currently is preventing the malware in our community in low volume.

There seem to be some legitimate development kits of this sort: on another web site, instructions that may be getting confused and mimicked with the Waledac gang’s devkit explain how to use another “devkit” to create a Flash ecard in time for Valentine’s Day. Other searches for Valentine’s Day Dev Kits produce kits to be run on other operating systems.

We’ll share some additional research notes on the malware’s functionality and its obfuscation, be sure to check in later.

The distributors currently are using
hxxp://goodnewsreview.com
hxxp://worldnewseye.com
hxxp://www.spacemynews.com
hxxp://www.worldnewsdot.com
hxxp://www.worldtracknews.com
hxxp://www.wapcitynews.com
hxxp://linkworldnews.com
hxxp://goodnewsdigital.com
hxxp://waleprojekt.com
hxxp://expowale.com
hxxp://topwale.com
to serve up some these files and the nice graphics above with a cute question “Guess, which one is for you?”. Old sites listed at Shadowserver and other sites are being re-used as well with the new valentine’s day theme. A screenshot of one of the sites is above.
Along with the visual pleasantries, we are also seeing the standard set of commodity exploits served up to unsuspecting visitors via a redirection to a “google-analysis.js” obfuscated javascript.

DO NOT VISIT THESE SITES, DO NOT DOWNLOAD AND RUN THESE EXECUTABLES.

Compare to last year’s Valentine’s day Storm theme that we described in a post, which they served up “With love!”:

And another of Storm’s themes that we posted about here.

The Waledac operators have automated a fairly predictable registration and setup of their malicious web sites and corresponding online pharmaceutical sites reported as fraudulent. They are abusing fast flux dns at an impressive rate as well.
DO NOT VISIT THESE SITES. THEY ARE MALICIOUS AND MAY INFECT YOUR SYSTEM IF YOU CHOOSE TO VISIT THEM WITH A WEB BROWSER. Here are a few that were registered and set up this morning. Be aware that this spamming/botnet operation is an ongoing one:
hxxp://topgreetingsite.com
hxxp://www.greetingsupersite.com
hxxp://www.greetingcardgarb.com
hxxp://greetingcardcalendar.com
hxxp://directchristmasgift.com

You get the idea. Do not fall for the links being spammed out in email messages as ecard deliveries and do not fall for the current “card.exe” being distributed.

And here is an example message spammed out by the Waledac worm:
“Jeff has mailed a e-card.
Just click on the following Internet address:
hxxp://your regards.com/ ?ID=5b830b13b073c19cabc3a06878d
Brought to you by 123Christmas-Greetings!”

Spammed message here using the Christmasbuzz name:
“Thomas has sent an e-card.
Click on the following link or copy and paste the following link into your web
browser’s address bar: hxxp:// smart cardgreeting.com/ ?code=844e643ab7
(c) Christmasbuzz.com”

Legitimate Christmasbuzz site looks like this snapshot:

Another spammed message from the worm:
“Thomas sent you a ecard.
Click on the following link to see your Ecard:
hxxp://world greetingcard.com/ ?id=1025025ecd
Thanks for Using Card Fountain!”

And the corresponding legitimate Card Fountain web site here:

Do not randomly click on links emailed to you, as pointed out previously. Ecards and greetings can be a sore spot for a lot of users before and after the holiday seasons, but it can be nice to receive holiday wishes when they come from legitimate sites.
Also note that most of the legitimate sites provide users with flash movies and other animated cards, instead of the “card.exe” malcode.

Current malicious sites are serving exploit pages and “card.exe” at the following domains, do not visit them. Some were registered by the botherders earlier today, along with a slew of domains that are now hosting online canadian pharmacy sites:
eternalgreetingcard.com
worldgreetingcard.com
smartcardgreeting.com
superyearcard.com
cardnewyear.com
newyearcardonline.com
youryearcard.com
newyearcardcompany.com
bestyearcard.com
newyearcardservice.com
newyearcardfree.com
The guys over at Shadowserver posted a writeup on the worm to close out 2008, and included a list of domains being used by the botherders at the time. The distributors continue to be active.

And why might this Storm copycat scheme come back in vogue? Spam, of course!
In addition to the links to malicious attacking sites being sent out (posted in the description above), holiday-themed, seasonal spam containing links to online Canadian pharmacies peddling viagra and “enhancement” drugs are being blasted by infected systems as well:

“Subject: When going on holiday take bluepills with you to ensure potence!
We have everything to make your love more passionate.
hxxp:// thank believe.com/”

“Be ready for spring love marathon! hxxp:// character effect.com/”

“Start enjoying your xxxlife! hxxp:// grew ten.com/”

“Subject: How intresting is your bedroom life?
Dont put your health at stake! hxxp:// what least.com/”

“Subject: Latest news from your doctor.
Our experts recommend! hxxp:// steam coast.com/”

It appears to be a fairly international spamming effort with DNS domains rapidly being registered in China and Latvia, exploit pages served in the U.S., and pharma sales coming out of Canada off of servers hosted in China.

A visit to this page results in multiple client side exploits, delivered by multiple redirected web pages, which TF prevents. ThreatFire also stops the attacking executable file as Trojan.Waledac.

The attackers make it obvious what web site they are attempting to mimic in their social engineering scheme. The entire HTML header for the attacking web page on the malicious site was ripped directly from 123greetings.com, a popular ecard site. Here is some of the header from the malicious web page:
Title: New Year Cards, Free New Year eCards, Greeting Cards
meta name =”keywords” content=”new year cards,free new year ecards,greeting cards,greetings,wishes for the new year,free e cards for new year,christmas and new year wishes,free new year greetings,free ecards for new year”
meta name=”description” content=”2009 is here! Fill your heart with new hopes, reach out for new opportunities and celebrate the New Year! Reach out to your friends, family,…”

Keep in mind that the legitimate www.123greetings.com site appears to send out ecards as Flash videos, and not as “postcard.exe” files.

Update (1/5/2008): Waledac variant card.exe continues to be distributed — we’re seeing hxxp://direct christmas gift.com as an offending server up and running with the same card store front.

One of the topics near and dear to our PC Tools hearts happened to be the focus of Joe Stewart’s presentation on reversing Storm titled “Protocols and Encryption of the Storm Botnet”. It was somewhat of a Virus Bulletin style presentation, but he added a lot of information regarding offensive techniques for joining the Bot network, disrupting it, and details of his findings about the bot network’s communications. It was great stuff.

Also interesting was Jonathan Rom’s talk on implementing a javascript based persistent rootkit. While it was somewhat stealth, I don’t know that it classified as a rootkit. However, the malcode was fairly well hidden in the plain text file he discussed. And while the design flaw that the code is dependent on for functionality has been patched in Firefox 3 and wasn’t as platform dependent as the intro suggested, the idea was well implemented against XP systems in their demo.

Off to another talk on the development and functionality of dns tunneling reverse shellcode.

If you arrive at a web site with “Who is loving you? Do you want to know?”, offering up “mylove.exe”, ignore it. Don’t run the file, which immediately copies “msvecurity.exe” to the windows directory, and works its standard p2p magic from there.

Interesting to note that it connects back to a chinese server on cadeaux-avenue.cn for config information.

“A new powerful disaster just occurred in China. The most deadly, 9 magnitude, earthquake took away million of lives in the heart of China, Beijing. Rapidly growing panic paralyzed life of Chinese capital. 2008 Olympic Games are under the threat of failure. Click on the video to see the details of this terrible disaster and choose either “Open” or “Run”.”

Do not visit the website:

Of course, instead of a link to a video, the code behind the “mov.gif” image of a video object directs the user to download “beijing.exe“, seen as “beijing[1].exe” on TF users’ systems. When run, this executable drops and starts “msvupdater.exe” in the windows directory on the system. The msvupdater component carries with it the familiar P2P code that Storm uses, and attempts to send out email from the system.

Hidden away in the last line of html source is tiny iframe linking to “ind.php”, as seen here:
iframe src=”ind.php” width=”1″ height=”1″ style=”visibility:hidden;position:absolute”

This php file contains quite a bit of obfuscated javascript. After dissecting the script, we find that it is attacking an older NCTAudioFile2 ActiveX vulnerability, the more recent RealPlayer vulnerability, a older BaiduBar Soba vuln, and a couple of ancient setSlice and WebFolderView vulnerabilities. Basically, these guys have a newer commodity attack kit with some new obfuscation features.

By the looks of it, they can’t even write their web pages to display properly. In the below screenshot, we have a new and currently served storm web page at top, along with the html source in the middle and a gif image in another separate window that the group intended to be displayed at the top center of the original web page.

This mistake and quiet propagation, compared to the fresh and effective flashy pages from almost a year ago, is another sign that the Storm is calming down.